I have for testing Fortigate F80 (7.6.0) where I created ipsec VPN for clients.
I can connect correctly to FG
When I enable/disable split tunel I have always the same ISP ip address. About what I have forgotten.
I have created ipsec with wizzard and doc from Fortinet.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Ninio,
Thank you for contacting fortinet support. When you enable split-tunnel do you also change firewall policies to make sure destination for incoming traffic is not "all" instead it should be specific. Also I assume that when you enable split-tunnelling you are disconnecting and reconnecting the vpn or it is getting disconnected automatically on the client side. Other than these notes I would recommend running ike debugs and check vpn event logs on the fortigate:
- debug commands:
diag debug app ike -1
diag debug console time en
diag debug enable
- VPN Events are located at: "Log&Report>Events"
Thank you,
saleha
thanks,
connection to my LAN works great. I see that i must add ipsec ip network to firewall and I have Intetnet. But internet is on my FG company default gateway.
I want change it to my home gateway, only with access to my company local lan (some devices).
where I can find information about policy with ipsec split? I cant find information about it.
Hi Ninio,
Hope you are doing good.
You can use following article to achieve split tunnel with IPsec VPN for clients:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Enable-split-tunnel-For-IPsec-VPN/ta-p/192...
Regards,
Parteek
Hi,
I saw it but it did not work. I cant find solution with ipsec vpn error. I have open ticket with it.
a have checked ssl vpn split tunel and ipsec split tunel after connecting
Description . . . . . . . . . . . : Fortinet SSL VPN Virtual Ethernet Adapter
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . :
IPv4 Address. . . . . . . . . . . : 10.212.134.200(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
i see that ssl split tunel did not fill default gateway on interface
but ipsec vpn tunell filling it like that
Description . . . . . . . . . . . : Fortinet Virtual Ethernet Adapter (NDIS 6.30) #2
Physical Address. . . . . . . . . : 00-09-0F-FE-00-01
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::3a0b:a474:bb05:aefc%11(Preferred)
IPv4 Address. . . . . . . . . . . : 10.100.100.1(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Lease Obtained. . . . . . . . . . : środa, 11 września 2024 11:14:57
Lease Expires . . . . . . . . . . : niedziela, 19 października 2160 02:53:18
Default Gateway . . . . . . . . . : 10.100.100.2
DHCP Server . . . . . . . . . . . : 10.100.100.2
is this some kind of issue ? where i can find information about dhcp server in ipsec?
Hi Ninio,
Thank you for the reply. You will most likely need an external dhcp server and a firewall policy to allow the traffic from ipsec tunnel to dhcp server similar to the example on the following document link:
https://docs.fortinet.com/document/fortigate/7.2.8/administration-guide/189440
Thank you,
saleha
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1547 | |
1030 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.